By Danny Yadron
LAS VEGAS--Could encrypted messaging--long the province of
privacy hawks and conspiracy theorists--go mainstream?
Yahoo Inc. said Thursday it will join an effort by rival Google
Inc. to create a secure email system by next year that could make
it nearly impossible for hackers or government officials to read
users' messages. Even the email providers themselves won't be able
to decrypt messages.
If the companies are successful, it would mark a first step in
bringing advanced privacy technology to a widely used consumer
service. It is also a stark example of how tech giants are
rethinking their business plans after Edward Snowden began leaking
secrets from the National Security Agency last year. Until
February, Yahoo didn't have a C-suite level executive dedicated to
information security.
Yahoo's move comes as large technology companies put increased
emphasis on warding off government spies and hackers. Google on
Thursday announced encrypted websites now will fare better in its
search results. Microsoft Corp. recently unsuccessfully fought a
U.S. government request for data stored in Ireland.
Bruce Schneier, a longtime cybersecurity researcher and chief
technology officer at Co3 Systems Inc., said the moves are
disrupting what had been a "public-private surveillance
partnership."
"What's going to happen when the FBI goes to Google or Yahoo and
says, 'I want the email from this guy,' and Google or Yahoo says,
'We can't give it to you?'" Mr. Schneier said.
Google in June announced plans to develop spy-proof email. The
addition of Yahoo is notable because the two have access to so many
email users and Yahoo shed new details on the project. Google
counts 425 million unique Gmail users, Yahoo 110 million.
Microsoft, which offers the free Web email service Outlook.com,
has previously said it is working to incorporate encryption
technologies into the service formerly known as Hotmail.
Yahoo and Google say the encryption tool will be an optional
feature that users will have to turn on. Engineers at the
technology firms--bitter competitors in many fields--frequently
talk to each other about the project, people at both companies
say.
The tool will rely on a version of PGP encryption, a long-tested
way of scrambling data that hasn't yet been cracked. Unlike
traditional webmail services that rely on tech companies holding
passwords and usernames for consumer accounts, PGP relies on users
having their own encryption key stored on laptops, tablets and
smartphones.
Traditionally, that has made it very difficult to use. There is
no password-reset function, and users have to go through several
steps using clunky software to send even short emails.
"How do you get children to eat their spinach?" asked
Christopher Soghoian, a security and privacy researcher at the
American Civil Liberties Union. "PGP is even less tasty than
spinach."
Mr. Soghoian said Yahoo and Google are taking early steps toward
making the technology easier for normal consumers. Executives at
both companies expect few users to adopt the technology
immediately.
In an interview at the Black Hat security conference here,
Yahoo's chief information security officer, Alex Stamos,
acknowledged challenges in bringing such a tool to the general
public.
Yahoo has altered its email process so users adopting encryption
type messages in a separate window, preventing even Yahoo from
reading the messages as they are typed. Mr. Stamos said his team is
testing ways to get encryption keys on mobile devices.
Yahoo also has to explain to users how PGP works and that it
isn't a panacea for privacy concerns. For instance, it only
encrypts the content of messages--not the data on who sends and
receives the messages or the subject line.
"We have to make it to clear to people it is not secret you're
emailing your priest," Mr. Stamos said. "But the content of what
you're emailing him is secret."
The companies could find themselves in legal disputes. Lavabit,
Mr. Snowden's old email provider, shuttered itself last year after
a court ordered it to hand over its encryption keys. If Google and
Yahoo are successful, they will be able to argue that they don't
have the keys for their encryption service.
"It's not clear the Lavabit example actually scales up," Mr.
Stamos said. "That's very different from a publicly traded
multibillion-dollar company with an army of lawyers who would love
to take this argument all the way to the Supreme Court."
Shira Ovide contributed to this article.
Write to Danny Yadron at danny.yadron@wsj.com
Subscribe to WSJ: http://online.wsj.com?mod=djnwires